Which server role should you deploy?

Your network contains an Active Directory domain named contoso.com.
The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

You have an organizational unit (OU) named Marketing that contains the computers in the marketing
department.
You have an OU named Finance that contains the computers in the finance department.
You have an OU named AppServers that contains application servers.
A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the
AppServers OU.
You install Windows Defender on Nano1.
You need to ensure that you can deploy a shielded virtual machine to Server4. Which server role should you
deploy?

Your network contains an Active Directory domain named contoso.com.
The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

You have an organizational unit (OU) named Marketing that contains the computers in the marketing
department.
You have an OU named Finance that contains the computers in the finance department.
You have an OU named AppServers that contains application servers.
A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the
AppServers OU.
You install Windows Defender on Nano1.
You need to ensure that you can deploy a shielded virtual machine to Server4. Which server role should you
deploy?

A.
Network Controller

B.
Device Health Attestation

C.
Hyper-V

D.
Host Guardian Service

Explanation:
https://blogs.technet.microsoft.com/datacentersecurity/2016/06/06/step-by-step-creating-shielded-vms-withoutvmm/
Shielding an existing VM
Let’s start with the simpler approach. This requires you to have a running VM on a host which is not the
guarded host.
This is important to distinguish, because you are simulating the scenario where a tenant wants to take an
existing, unprotected VM and shield it before moving it to
a guarded host.
For clarity, the host machine which is not the guarded host will be referred as the tenant host below.
A shielded VM can only run on a trusted guarded host.
The trust is established by the adding the Host Guardian Service server role (retrieved from the HGS
server) to the Key Protector which is used to shield
the VM.
That way, the shielded VM can only be started after the guarded host successfully attest against the HGS
server.
In this example, the running VM is named SVM. This VM must be generation 2 and have a supported OS
installed with remote desktop enabled.
You should verify the VM can be connected through RDP first, as it will almost certainly be the primary way to
access the VM once it is shielded (unless you have
installed other remoting capabilities).

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *